UK Update: Top Tips – Managing Data Protection Issues in the Workplace

It has now been over five years since the GDPR (General Data Protection Regulation) came into force – and with it a major shift in what was expected of organisations when it comes to data protection compliance.

Although the GDPR was originally a European regulation, the standards and principles it set out have been transposed into UK law through the Data Protection Act 2018, which introduced a new UK GDPR.

Since then in the intervening period, employers have navigated the COVID pandemic and massive changes to the way we work with the increase in hybrid working, which has inevitably led to changes in the way they hold and utilise data. From our experience advising clients on their data protection compliance obligations over these last five years, here are our top tips when it comes to managing data protection issues in the workplace:

1. Review / update your documentation and processes

Many organisations were racing to prepare data maps, records of data processing activities and privacy notices before the implementation of GDPR in May 2018, but have you looked at them since? These should be “living documents” which should be reviewed regularly to reflect the current forms of personal data your organisation holds, the lawful uses for storing that data and who that data is shared with. They should also be updated to take into account the introduction of UK GDPR (as distinct from EU GDPR).

2. Put in place a subject access request action plan

All data subjects have the right to request access to the personal data that is held about them. However, the short timescales to respond and the increasingly litigious uses made of these requests can make them a real challenge to deal with. Look to put in place an action plan for dealing with these requests in as efficient manner as possible overseen by appointed individuals who are familiar with the steps required to search for the data requested and assessing what material does / does not need to be disclosed to requesters.

3. Carefully consider lines of communication

Managers need to be aware of the risk that what they put in writing (including over email or Teams) may well be caught and have to be disclosed if subject access requests are made by employees. With that being the case, if there is a need to have a sensitive discussion about a staff issue look to do that over the phone or in a meeting rather than reducing thoughts to writing.

4. Carry out regular DPIAs to document decisions about new forms of data processing

DPIAs (short for data privacy impact assessments) are mandatory in certain instances, however, we would recommend that they are undertaken whenever you are undertaking any new forms of processing employee data. A DPIA should set out the purposes behind the processing, any likely adverse impact on the employees affected, and whether there are any suitable alternatives all with a view to helping you judge whether it is appropriate to go ahead with the proposed processing activity.

5. Take care when it comes to monitoring workers

Monitoring of staff is a controversial area and when being considered it is vital that a DPIA is carried out to demonstrate why the monitoring is proportionate considering the degree of intrusion on the privacy of the staff, the legitimacy of the reasons for the monitoring, and the fact that there are no less intrusive alternative options available. If monitoring is to be carried out it is essential that staff are given sufficient notice about the monitoring, why it is happening and what the data collected will be used for.

6. Avoid retaining data unnecessarily

A key data protection principle is that organisations should hold onto data for no longer than necessary for the purposes it was collected and, if the data has served its purpose, it should be deleted. If you have not already done so, put in place a data retention policy / schedule which sets out clear time limits for how long certain categories of data ought to be held for in light of your legal obligations or so long as necessary to defend any potential claim.

7. Be prepared for data breaches

Data breaches, cyber attacks and security incidents are now a fact of life. They will happen, and our strong advice is to be prepared and put a data breach response policy in place. That policy should set out who to contact in the event of a breach, the appointed response team for dealing with the breach, and even draft template communications to be used.  Having a policy like this in place will ensure you are best equipped to mitigate the impact of any breach and are able to comply with your reporting obligations to the regulator and the affected individuals.

8. Don’t forget about job applicants

The scope of data collected from applicants (and the uses made of that data) may be very different compared to existing employees and that gives rise to a different set of considerations. It is important to ensure that you can point to one of the lawful bases set out in the GDPR to justify the collection of the data that you are requesting from job applicants – and particular care should be taken to ensure you have a legitimate basis when applicants are asked to provide demographic data (e.g. details about their gender, race/ethnicity, sexual orientation etc). For most organisations it will be appropriate to build a bespoke job applicant privacy notice into your recruitment process so that applicants are clear on what the data collected about them through the process will be used for.

9. Review your third-party contracts

Is it important that you understand where your data flows – and the extent to which it is shared with third parties (such as payroll providers, benefits providers and external HR or cloud platforms). Where data is being shared, the GDPR mandates certain protections which must be included in the contracts that govern the data sharing arrangement. Further additional contractual protections (or safeguard mechanisms) are also required when the data is flowing internationally. These typically will include the use of either: (i) the UK Addendum to the EU Standard Contractual Clauses; or (ii) the approved UK International Data Transfer Agreement. It is essential that you review and ensure that you have legally compliant contracts in place which include these mandatory protections and clauses.

10. Keep up to date

Data protection is a fast-moving area as the law and the supporting guidance adapts to meet changes in technology and it is important to make efforts to keep up to date. The ICO and European Data Protection Board  regularly publish new guidance which aims to give organisations further best practice insight into how they might demonstrate data protection compliance.

We often say that compliance is a journey, not a destination. It requires an ongoing commitment and if the team at TALI can help you along the way please do not hesitate to get in touch. In particular, now might be a good time to consider carrying out an organisation-wide privacy audit / compliance “health check” through our newly established Data Protection Consultancy practice. If that sounds of interest, you can contact us to arrange a time to discuss further.

By Burness Paull LLP, Scotland, a Transatlantic Law International Affiliated Firm.  

For further information or for any assistance please contact ukscotland@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.